[ActiveDir] Account Lockouts in mixed mode
We have a mixed mode AD (Single forest/single tree/single domain), with about 20 DCs and 35 BDCs. Accounts are administered centrally by a very small group, and they typically connect to the DC that holds the PDC FSMO to do all administrative tasks. Our account lockout policy locks accounts after three bad attempts. Over the past several months, we've seen a couple strange issues with account lockouts: 1. Once in awhile, a user will be locked out again and again for no apparent reason. For example, they arrive at work, attempt to login, and are locked out. The admins unlock the account and the user logs in, but if you check the account later it is locked out again. If the user then logs out, they are unable to login because of the lock. We've seen this happen to a given user several times over a few days, then mysteriously disappear. Some users have a great deal of trouble with this; most never see it. 2. When an account is locked out, the admin will typically unlock it by going to the account tab on the user's object in Active Directory Users and Computers. In some cases, however, even after doing so the user is unable to logon. Since these folks are old-time NT admins, they will then often open User Manager for Domains and try unlocking the account from there. Strangely, they sometimes need to perform the unlock from BOTH tools before the user is able to logon. At first, I thought this was just a timing issue, or that they were looking at the account info on different servers, but I have seen with my own eyes cases where ADU&C connected to the PDC emulator shows one lockout status, and User Manager for Domains shows another. I'm trying to get the admins away from User Manager for Domains altogether, but they don't trust 'Users and Computers' in this case. I've tried to explain that the "Nt Domain" and the "Active Directory Domain" are the SAME THING, but they're not buying it when they see a different view in the two tools. My questions: 1. Is anybody else havong similar lockout problems ? The Q articles on the subject don't seem to apply to this scenario. 2. When an admin uses User Manager for Domains, it obviously can make changes only at the (emulated) PDC. Does this mean that the lockout status it displays is the one stored on that server, or is it possible that it's displaying status read from a BDC ? 3. Has anyone else seen a case where they had to unlock an account using both tools before the user could login ? 4. Is there any other reason why attributes that are displayable in User Manager for Domains should NOT be IDENTICAL to the same attributes as displayed in Active Directory Users and Computers ? In other words, does the PDC emulator store this data in a separate SAM that can somehow be temporarily out of sync with the AD, or is the PDC emulator a real-time conduit into the AD store ? Thanks for any ideas... Dave Fugleberg List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account Lockouts in mixed mode
We have 5 domains in our environment, but only one has a three lock out scenario like yours. We are in Native mode and I have witnessed this. A first I blamed it on user error, since the help desk for that area is not up to par. Then one day it happened to me. I hadn't logged in to the domain in some time and once I did, I was locked out on one attempt. Unfortunately, I don't have a cure. I wanted to let you know that the mixed mode might not have anything to do with it. Please let us know if you find anything. -Original Message- From: Fugleberg, David A [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 17, 2001 8:09 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Account Lockouts in mixed mode We have a mixed mode AD (Single forest/single tree/single domain), with about 20 DCs and 35 BDCs. Accounts are administered centrally by a very small group, and they typically connect to the DC that holds the PDC FSMO to do all administrative tasks. Our account lockout policy locks accounts after three bad attempts. Over the past several months, we've seen a couple strange issues with account lockouts: 1. Once in awhile, a user will be locked out again and again for no apparent reason. For example, they arrive at work, attempt to login, and are locked out. The admins unlock the account and the user logs in, but if you check the account later it is locked out again. If the user then logs out, they are unable to login because of the lock. We've seen this happen to a given user several times over a few days, then mysteriously disappear. Some users have a great deal of trouble with this; most never see it. 2. When an account is locked out, the admin will typically unlock it by going to the account tab on the user's object in Active Directory Users and Computers. In some cases, however, even after doing so the user is unable to logon. Since these folks are old-time NT admins, they will then often open User Manager for Domains and try unlocking the account from there. Strangely, they sometimes need to perform the unlock from BOTH tools before the user is able to logon. At first, I thought this was just a timing issue, or that they were looking at the account info on different servers, but I have seen with my own eyes cases where ADU&C connected to the PDC emulator shows one lockout status, and User Manager for Domains shows another. I'm trying to get the admins away from User Manager for Domains altogether, but they don't trust 'Users and Computers' in this case. I've tried to explain that the "Nt Domain" and the "Active Directory Domain" are the SAME THING, but they're not buying it when they see a different view in the two tools. My questions: 1. Is anybody else havong similar lockout problems ? The Q articles on the subject don't seem to apply to this scenario. 2. When an admin uses User Manager for Domains, it obviously can make changes only at the (emulated) PDC. Does this mean that the lockout status it displays is the one stored on that server, or is it possible that it's displaying status read from a BDC ? 3. Has anyone else seen a case where they had to unlock an account using both tools before the user could login ? 4. Is there any other reason why attributes that are displayable in User Manager for Domains should NOT be IDENTICAL to the same attributes as displayed in Active Directory Users and Computers ? In other words, does the PDC emulator store this data in a separate SAM that can somehow be temporarily out of sync with the AD, or is the PDC emulator a real-time conduit into the AD store ? Thanks for any ideas... Dave Fugleberg List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account Lockouts in mixed mode
Actually, we have seen similar issues in our mixed mode domain. Sometimes, it seems that there is a sync problem between pdc and bdc's. Other times, we have no clue why it is occuring to an individual over and over again. We have even gone so far as to delete and recreate accounts in AD for users experiencing repeated lock-outs. The only common thread seems to have been their accessing exchange through outlook. Users could log in after their account was unlocked, but later in the day they would be locked out again. Passwords were not being cached at all, and it was almost always a Win2kPro box that the user was logging on through. I am uncertain as to the exact cause(s), but recreating the user object has resolved the issues for users experiencing this. -Original Message- From: Fugleberg, David A [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 17, 2001 9:09 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Account Lockouts in mixed mode We have a mixed mode AD (Single forest/single tree/single domain), with about 20 DCs and 35 BDCs. Accounts are administered centrally by a very small group, and they typically connect to the DC that holds the PDC FSMO to do all administrative tasks. Our account lockout policy locks accounts after three bad attempts. Over the past several months, we've seen a couple strange issues with account lockouts: 1. Once in awhile, a user will be locked out again and again for no apparent reason. For example, they arrive at work, attempt to login, and are locked out. The admins unlock the account and the user logs in, but if you check the account later it is locked out again. If the user then logs out, they are unable to login because of the lock. We've seen this happen to a given user several times over a few days, then mysteriously disappear. Some users have a great deal of trouble with this; most never see it. 2. When an account is locked out, the admin will typically unlock it by going to the account tab on the user's object in Active Directory Users and Computers. In some cases, however, even after doing so the user is unable to logon. Since these folks are old-time NT admins, they will then often open User Manager for Domains and try unlocking the account from there. Strangely, they sometimes need to perform the unlock from BOTH tools before the user is able to logon. At first, I thought this was just a timing issue, or that they were looking at the account info on different servers, but I have seen with my own eyes cases where ADU&C connected to the PDC emulator shows one lockout status, and User Manager for Domains shows another. I'm trying to get the admins away from User Manager for Domains altogether, but they don't trust 'Users and Computers' in this case. I've tried to explain that the "Nt Domain" and the "Active Directory Domain" are the SAME THING, but they're not buying it when they see a different view in the two tools. My questions: 1. Is anybody else havong similar lockout problems ? The Q articles on the subject don't seem to apply to this scenario. 2. When an admin uses User Manager for Domains, it obviously can make changes only at the (emulated) PDC. Does this mean that the lockout status it displays is the one stored on that server, or is it possible that it's displaying status read from a BDC ? 3. Has anyone else seen a case where they had to unlock an account using both tools before the user could login ? 4. Is there any other reason why attributes that are displayable in User Manager for Domains should NOT be IDENTICAL to the same attributes as displayed in Active Directory Users and Computers ? In other words, does the PDC emulator store this data in a separate SAM that can somehow be temporarily out of sync with the AD, or is the PDC emulator a real-time conduit into the AD store ? Thanks for any ideas... Dave Fugleberg List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account Lockouts in mixed mode
I have seen this happen with persistent mapped drives. I don't recall the exact details but I believe it occurred after the user changes their password. When the persistent drive mappings were made, the user did a "Connect As" and supplied their user ID and password. Now the persistent mappings are trying to connect with the old password, causing the account to lock out. This may be totally off-base but is the best I can recall. Jim -Original Message- From: Fugleberg, David A [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 17, 2001 11:09 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Account Lockouts in mixed mode We have a mixed mode AD (Single forest/single tree/single domain), with about 20 DCs and 35 BDCs. Accounts are administered centrally by a very small group, and they typically connect to the DC that holds the PDC FSMO to do all administrative tasks. Our account lockout policy locks accounts after three bad attempts. Over the past several months, we've seen a couple strange issues with account lockouts: 1. Once in awhile, a user will be locked out again and again for no apparent reason. For example, they arrive at work, attempt to login, and are locked out. The admins unlock the account and the user logs in, but if you check the account later it is locked out again. If the user then logs out, they are unable to login because of the lock. We've seen this happen to a given user several times over a few days, then mysteriously disappear. Some users have a great deal of trouble with this; most never see it. 2. When an account is locked out, the admin will typically unlock it by going to the account tab on the user's object in Active Directory Users and Computers. In some cases, however, even after doing so the user is unable to logon. Since these folks are old-time NT admins, they will then often open User Manager for Domains and try unlocking the account from there. Strangely, they sometimes need to perform the unlock from BOTH tools before the user is able to logon. At first, I thought this was just a timing issue, or that they were looking at the account info on different servers, but I have seen with my own eyes cases where ADU&C connected to the PDC emulator shows one lockout status, and User Manager for Domains shows another. I'm trying to get the admins away from User Manager for Domains altogether, but they don't trust 'Users and Computers' in this case. I've tried to explain that the "Nt Domain" and the "Active Directory Domain" are the SAME THING, but they're not buying it when they see a different view in the two tools. My questions: 1. Is anybody else havong similar lockout problems ? The Q articles on the subject don't seem to apply to this scenario. 2. When an admin uses User Manager for Domains, it obviously can make changes only at the (emulated) PDC. Does this mean that the lockout status it displays is the one stored on that server, or is it possible that it's displaying status read from a BDC ? 3. Has anyone else seen a case where they had to unlock an account using both tools before the user could login ? 4. Is there any other reason why attributes that are displayable in User Manager for Domains should NOT be IDENTICAL to the same attributes as displayed in Active Directory Users and Computers ? In other words, does the PDC emulator store this data in a separate SAM that can somehow be temporarily out of sync with the AD, or is the PDC emulator a real-time conduit into the AD store ? Thanks for any ideas... Dave Fugleberg List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Account Lockouts in mixed mode
Read MS Article Q263821 for the fix - Original Message - From: "Bjelke John A Contr AFRL/VSIO" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, October 17, 2001 4:19 PM Subject: RE: [ActiveDir] Account Lockouts in mixed mode Actually, we have seen similar issues in our mixed mode domain. Sometimes, it seems that there is a sync problem between pdc and bdc's. Other times, we have no clue why it is occuring to an individual over and over again. We have even gone so far as to delete and recreate accounts in AD for users experiencing repeated lock-outs. The only common thread seems to have been their accessing exchange through outlook. Users could log in after their account was unlocked, but later in the day they would be locked out again. Passwords were not being cached at all, and it was almost always a Win2kPro box that the user was logging on through. I am uncertain as to the exact cause(s), but recreating the user object has resolved the issues for users experiencing this. -Original Message- From: Fugleberg, David A [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 17, 2001 9:09 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Account Lockouts in mixed mode We have a mixed mode AD (Single forest/single tree/single domain), with about 20 DCs and 35 BDCs. Accounts are administered centrally by a very small group, and they typically connect to the DC that holds the PDC FSMO to do all administrative tasks. Our account lockout policy locks accounts after three bad attempts. Over the past several months, we've seen a couple strange issues with account lockouts: 1. Once in awhile, a user will be locked out again and again for no apparent reason. For example, they arrive at work, attempt to login, and are locked out. The admins unlock the account and the user logs in, but if you check the account later it is locked out again. If the user then logs out, they are unable to login because of the lock. We've seen this happen to a given user several times over a few days, then mysteriously disappear. Some users have a great deal of trouble with this; most never see it. 2. When an account is locked out, the admin will typically unlock it by going to the account tab on the user's object in Active Directory Users and Computers. In some cases, however, even after doing so the user is unable to logon. Since these folks are old-time NT admins, they will then often open User Manager for Domains and try unlocking the account from there. Strangely, they sometimes need to perform the unlock from BOTH tools before the user is able to logon. At first, I thought this was just a timing issue, or that they were looking at the account info on different servers, but I have seen with my own eyes cases where ADU&C connected to the PDC emulator shows one lockout status, and User Manager for Domains shows another. I'm trying to get the admins away from User Manager for Domains altogether, but they don't trust 'Users and Computers' in this case. I've tried to explain that the "Nt Domain" and the "Active Directory Domain" are the SAME THING, but they're not buying it when they see a different view in the two tools. My questions: 1. Is anybody else havong similar lockout problems ? The Q articles on the subject don't seem to apply to this scenario. 2. When an admin uses User Manager for Domains, it obviously can make changes only at the (emulated) PDC. Does this mean that the lockout status it displays is the one stored on that server, or is it possible that it's displaying status read from a BDC ? 3. Has anyone else seen a case where they had to unlock an account using both tools before the user could login ? 4. Is there any other reason why attributes that are displayable in User Manager for Domains should NOT be IDENTICAL to the same attributes as displayed in Active Directory Users and Computers ? In other words, does the PDC emulator store this data in a separate SAM that can somehow be temporarily out of sync with the AD, or is the PDC emulator a real-time conduit into the AD store ? Thanks for any ideas... Dave Fugleberg List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account Lockouts in mixed mode
You are not alone. Once we rolled out group policy we had the same thing happen. I have found in testing that if you utilise the "Default Domain Group Policy" and then import the compatws.inf security template (amend as required) this seems to "minimalise" but not eradicate the problem. For the stalwarts that still experience lockout look at their accounts and goto Active Directory Users and Computers, goto the Accounts tab, make sure that Password Never Expires is ticked and that the User logon name and User logon name (pre windows 2000) are both "filled in"...once this is done reset their password to something totally different. Within the scope of your Group Policy I would also advise that you separate the IT User Accounts and the servers that are not DC's and apply a new group policy to that group with "No Override" and "Block Inheritance". There is a great tool out there to test Resultant Policy FAZAM RFV, not full version but free... http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/fazam200 0-o.asp Also a great "Free book" on group policy, have to register but well worth it, have received no "junk mail" as yet as a result of registering: http://www.fullarmor.com/ebook/read/ . James -Original Message- From: Bjelke John A Contr AFRL/VSIO [mailto:[EMAIL PROTECTED]] Sent: Thursday, 18 October 2001 1:20 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Account Lockouts in mixed mode Actually, we have seen similar issues in our mixed mode domain. Sometimes, it seems that there is a sync problem between pdc and bdc's. Other times, we have no clue why it is occuring to an individual over and over again. We have even gone so far as to delete and recreate accounts in AD for users experiencing repeated lock-outs. The only common thread seems to have been their accessing exchange through outlook. Users could log in after their account was unlocked, but later in the day they would be locked out again. Passwords were not being cached at all, and it was almost always a Win2kPro box that the user was logging on through. I am uncertain as to the exact cause(s), but recreating the user object has resolved the issues for users experiencing this. -Original Message- From: Fugleberg, David A [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 17, 2001 9:09 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Account Lockouts in mixed mode We have a mixed mode AD (Single forest/single tree/single domain), with about 20 DCs and 35 BDCs. Accounts are administered centrally by a very small group, and they typically connect to the DC that holds the PDC FSMO to do all administrative tasks. Our account lockout policy locks accounts after three bad attempts. Over the past several months, we've seen a couple strange issues with account lockouts: 1. Once in awhile, a user will be locked out again and again for no apparent reason. For example, they arrive at work, attempt to login, and are locked out. The admins unlock the account and the user logs in, but if you check the account later it is locked out again. If the user then logs out, they are unable to login because of the lock. We've seen this happen to a given user several times over a few days, then mysteriously disappear. Some users have a great deal of trouble with this; most never see it. 2. When an account is locked out, the admin will typically unlock it by going to the account tab on the user's object in Active Directory Users and Computers. In some cases, however, even after doing so the user is unable to logon. Since these folks are old-time NT admins, they will then often open User Manager for Domains and try unlocking the account from there. Strangely, they sometimes need to perform the unlock from BOTH tools before the user is able to logon. At first, I thought this was just a timing issue, or that they were looking at the account info on different servers, but I have seen with my own eyes cases where ADU&C connected to the PDC emulator shows one lockout status, and User Manager for Domains shows another. I'm trying to get the admins away from User Manager for Domains altogether, but they don't trust 'Users and Computers' in this case. I've tried to explain that the "Nt Domain" and the "Active Directory Domain" are the SAME THING, but they're not buying it when they see a different view in the two tools. My questions: 1. Is anybody else havong similar lockout problems ? The Q articles on the subject don't seem to apply to this scenario. 2. When an admin uses User Manager for Domains, it obviously can make changes only at the (emulated) PDC. Does this mean that the lockout status it displays is the one stored on that server, or is it possible that it's displaying status read from a BDC ? 3. Has anyone else seen a case where they had to un
